If your bank doesn't have some form of 2FA then they're seriously doing something wrong...
New Password Requirements and Password Reset
Moderator: GZDoom Developers
-
- Posts: 309
- Joined: Tue Apr 10, 2018 8:14 am
-
- Posts: 95
- Joined: Thu Jul 13, 2017 3:04 pm
- Preferred Pronouns: She/Her
- Operating System Version (Optional): Win11, MacOS Ventura
- Graphics Processor: Apple M1
Re: New Password Requirements and Password Reset
Right. If you notice, most places are either shorter password + 2fa or long password. Most places have 2fa, though, so...almost everywhere uses shorter passwordsPhredreeke wrote: ↑Fri Jan 20, 2023 5:59 pmIf your bank doesn't have some form of 2FA then they're seriously doing something wrong...
-
- Posts: 45
- Joined: Thu Mar 11, 2004 3:58 pm
- Graphics Processor: nVidia with Vulkan support
Re: New Password Requirements and Password Reset
One thing to note is that Chrome's password generator produces 15 character passwords.
For a local password generator and manager look into https://keepass.info/
For a local password generator and manager look into https://keepass.info/
-
- Posts: 19
- Joined: Wed Jan 16, 2019 5:42 pm
Re: New Password Requirements and Password Reset
This is absolutely ridiculous and out of touch with reality, a 20 character password would've sufficed (still too much), but with capital and lowercase letters? AND numbers? What do you think you're protecting here, Fort Knox?
-
- Posts: 95
- Joined: Thu Jul 13, 2017 3:04 pm
- Preferred Pronouns: She/Her
- Operating System Version (Optional): Win11, MacOS Ventura
- Graphics Processor: Apple M1
Re: New Password Requirements and Password Reset
We sincerely apologise for the inconvenience and annoyance that this new policy causes. We've looked into alternatives and, unfortunately none appear viable at this time Since password complexity was the only route available to us, we had to increase said complexity beyond what is typical. I can personally vouch for the fact that PHPBB is very difficult to defend from spam and hacking, so we hope that you understand <3alekksandar wrote: ↑Sun Jan 22, 2023 2:06 pm This is absolutely ridiculous and out of touch with reality, a 20 character password would've sufficed (still too much), but with capital and lowercase letters? AND numbers? What do you think you're protecting here, Fort Knox?
-
- Posts: 45
- Joined: Thu Mar 11, 2004 3:58 pm
- Graphics Processor: nVidia with Vulkan support
Re: New Password Requirements and Password Reset
Does phpBB have any sort of brute force protection? If so, even 15 character would be resistant to anything short of stealing the database and running the hashes through a GPU cracker.CandiceJoy wrote: ↑Sun Jan 22, 2023 7:14 pmWe sincerely apologise for the inconvenience and annoyance that this new policy causes. We've looked into alternatives and, unfortunately none appear viable at this time Since password complexity was the only route available to us, we had to increase said complexity beyond what is typical. I can personally vouch for the fact that PHPBB is very difficult to defend from spam and hacking, so we hope that you understand <3alekksandar wrote: ↑Sun Jan 22, 2023 2:06 pm This is absolutely ridiculous and out of touch with reality, a 20 character password would've sufficed (still too much), but with capital and lowercase letters? AND numbers? What do you think you're protecting here, Fort Knox?
-
-
- Posts: 4143
- Joined: Thu Jul 17, 2003 12:19 am
- Graphics Processor: nVidia (Legacy GZDoom)
- Location: British Columbia, Canada
Re: New Password Requirements and Password Reset
I do not quite understand why so many are so resistant to using a 20 character password, when it is so easy.
After all, they don't have to deal with the hazzle of keeping the forum going and coping with rebuilding the
forum when it gets hacked. Rachael et al are doing an excellent job.
I used the password generator from programming.de,
then saved the generated password in a text file.
Now, all that is required is to copy/paste the password into the login.
Eesy peesy.
After all, they don't have to deal with the hazzle of keeping the forum going and coping with rebuilding the
forum when it gets hacked. Rachael et al are doing an excellent job.
I used the password generator from programming.de,
then saved the generated password in a text file.
Now, all that is required is to copy/paste the password into the login.
Eesy peesy.
-
- Spotlight Team
- Posts: 1084
- Joined: Mon Nov 25, 2019 8:54 am
- Graphics Processor: Intel (Modern GZDoom)
Re: New Password Requirements and Password Reset
I have been pondering this method of execution for some days now. Read the pro's, read the cons. Using Bitwarden. I changed it from a 14 character pass to a 30 character one (A random pass mixed with my old one, works like a charm).
For better or worse i reckon we can all agree this measurement is excessive but purely only so because it needs to be done to fight off spam and because the more obvious choices (OAuth/2FA) have their own issues to work with the backend as-is.
Obviously this isn't an ideal scenario. The next thing you know, we are at a 35 character pass (Which it originally was). I mean, i don't mind, i play along and will happily do a 100 character pass... but it is excessive.
The OAuth situation surprises me, primarily because that's what i use on our hospital's wiki. Ofcourse, that has a whole virtualized security grid behind it that filters out most of the doo-doo's... but you can't just keep on expanding on characters. That right there is a finite limit that will be reached unless we can come up with something smart.
So TLDR: I get ''why'' it is done and i also get ''why'' it is difficult to seek an alternative. But i also get ''why'' this will have a finite limit if some miraculous idea won't spring up.
For better or worse i reckon we can all agree this measurement is excessive but purely only so because it needs to be done to fight off spam and because the more obvious choices (OAuth/2FA) have their own issues to work with the backend as-is.
Obviously this isn't an ideal scenario. The next thing you know, we are at a 35 character pass (Which it originally was). I mean, i don't mind, i play along and will happily do a 100 character pass... but it is excessive.
The OAuth situation surprises me, primarily because that's what i use on our hospital's wiki. Ofcourse, that has a whole virtualized security grid behind it that filters out most of the doo-doo's... but you can't just keep on expanding on characters. That right there is a finite limit that will be reached unless we can come up with something smart.
So TLDR: I get ''why'' it is done and i also get ''why'' it is difficult to seek an alternative. But i also get ''why'' this will have a finite limit if some miraculous idea won't spring up.
I am glad you are ignoring all the reasons ''why'' this has to be done in this particular way.
Glad you came back just to spit on staff decisions without any care in the world. I guess your new years good intentions were this.
-
- Posts: 95
- Joined: Thu Jul 13, 2017 3:04 pm
- Preferred Pronouns: She/Her
- Operating System Version (Optional): Win11, MacOS Ventura
- Graphics Processor: Apple M1
Re: New Password Requirements and Password Reset
Honestly, I agree. I think if 20 characters with the complexity requirement is insufficient, I would personally prefer we seek an alternative other than lengthening passwords again. But that's just my 2 centsRedneckerz wrote: ↑Mon Jan 23, 2023 3:07 pm but you can't just keep on expanding on characters. That right there is a finite limit that will be reached unless we can come up with something smart.
-
- Posts: 56
- Joined: Sun Jun 22, 2008 12:00 am
Re: New Password Requirements and Password Reset
So, whats going on? Are forums accounts under constant brute-force attack?
Thats why you are changing password policy?
Thats why you are changing password policy?
-
- Posts: 852
- Joined: Mon May 10, 2021 8:08 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): EndeavorOS (basically Arch)
- Graphics Processor: Intel with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
Not necessarily constant.
-
- Posts: 13718
- Joined: Tue Jan 13, 2004 1:31 pm
- Preferred Pronouns: She/Her
Re: New Password Requirements and Password Reset
It is constant. Just because you don't see it doesn't mean it's not happening. People run those bots 24/7, so yes, it's constant.
You only see the accounts getting compromised that have not properly protected themselves - and that's the same for us, too.
You only see the accounts getting compromised that have not properly protected themselves - and that's the same for us, too.
-
- Posts: 56
- Joined: Sun Jun 22, 2008 12:00 am
Re: New Password Requirements and Password Reset
Ugh.. damn savages.. I know that pain.. My IP blacklist is growing and growing..
fwcli> stats rules
427 rules in DB
427 subnets (not IPs!) with size of minimum /24 (class C) or larger..
I can give you some hints at PM if you want
fwcli> stats rules
427 rules in DB
427 subnets (not IPs!) with size of minimum /24 (class C) or larger..
I can give you some hints at PM if you want
-
- Posts: 13718
- Joined: Tue Jan 13, 2004 1:31 pm
- Preferred Pronouns: She/Her
Re: New Password Requirements and Password Reset
The forum already has a system that blocks IP logins from individual hosts for several hours after a failed login attempt, at least without engaging the captcha. I've reduced the maximum number of captcha-free attempts per IP down to 1 now, since recaptcha3 is automatic anyway.
-
- Posts: 168
- Joined: Mon Jul 12, 2021 1:45 pm
- Graphics Processor: nVidia with Vulkan support
Re: New Password Requirements and Password Reset
That's bad news for people with script blockers who for some reason got their settings reset, e.g., due to a new OS installation -- even if that was on another machine. NoScript will reset its centrally stored settings anyway because reasons. Other blockers might save their settings per machine.
It typically takes three attempts to get a Captcha become visible since you need to reload the page after every change that unlocks some additional functionality. If your browser keeps trying to sign you in automatically using outdated credentials, this will probably cause your IP to get blocked.